SEC, FTC Investigate Heartland After Data Theft

Federal agencies, including the U.S. Federal Trade Commission and the U.S. Securities and Exchange Commission, have begun investigating Heartland Payment Systems following a massive data breach at the payment processing company.

Company President and Chief Financial Officer Robert Baldwin Jr. disclosed the investigations during Heartland’s quarterly conference call with investigators Tuesday, saying that the SEC had launched an informal inquiry into the company and that there is also a related investigation by the Department of Justice. The U.S. Department of the Treasury’s Office of the Comptroller of the Currency (OCC), which regulates national banks and their service providers, has launched an inquiry, as has the FTC, he said.

Heartland has also been hit with a class-action lawsuit relating to the breach, which was publicly disclosed on Jan. 20. “We may, in the future, be subjected to other governmental inquiries and investigations,” Baldwin said during the call. “We intend to vigorously defend any claims asserted against us.”

Hackers were able to break into Heartland’s systems and collect unencrypted data on payment card transactions that the company processed on behalf of its merchant clients. Merchants at about 250,000 locations, including retail stores, gas stations and hotels, use Heartland’s services. Heartland does not know how long the hackers were able to steal credit card information or how many cards were affected.

In recent months at least three credit-card processing companies, including Heartland, have been the victims of sophisticated criminal attacks resulting in millions of compromised payment cards. One of the other card processors, RBS WorldPay, lost data on 1.5 million customers. A third hack, at an unnamed payment processor, was disclosed last week.

The Treasury’s OCC may be taking an interest in the breach because it could be part of a larger problem for the banking industry, said Avivah Litan, an analyst with Gartner Research. “I think that the criminal gang that targeted Heartland is targeting multiple payment processors and it’s a serious threat to the integrity of the payment systems,” she said.

Reached Wednesday, a Heartland spokesman could not say why the SEC was investigating the company.

However, the investigation may relate to stock trades made by Heartland Chairman and CEO Robert Carr after Visa notified Heartland of suspicious activity on Oct. 28, 2008. According to insider trade filings, Carr sold just under US$8 million worth of stock between Oct. 29 and the day the breach was disclosed. Heartland’s stock was trading in the $15-to-$20 range for most of these transactions, but it dropped following the breach disclosure. It closed Wednesday at $5.49.

During the conference call, Carr said that his trades were part of a 10b5-1 plan initiated in August — months before Heartland knew of any problems — to pay off his personal debt, and that he stopped selling shares as soon as the company discovered malicious software on its systems on the night of Jan. 12. “I had no discretion regarding the terms or timing of the sales,” he said.

Carr sold just over 900,000 of his 5.8 million shares before pulling the plug on the 10b5-1 plan in January, Heartland said.

It is not unusual for the FTC to investigate data breaches and use its authority to seek penalties or consumer restitution following data breaches. ChoicePoint reached a $15 million FTC settlement in 2006 after identity thieves gained access to 163,000 consumer records in the company’s database.

David Shettler, chief technology officer with the volunteer-run Open Security Foundation, said that government investigations will help Heartland’s customers and business partners understand what is going on. “There are a lot of unanswered questions,” he said. “Bankers around the country are getting frustrated because they’re having to incur the costs of reissuing these cards, and they’re not getting a lot of information.”

“The bankers are bearing the brunt of this in a time and an economy where the banks aren’t doing so great,” Shettler said.

In 2007, the Massachusetts Bankers Association sued retailer The TJX Group, seeking tens of millions of dollars in compensation for banks that were forced to reissue credit cards after hackers stole credit card information from the U.S. retailer. That suit was settled after Visa and TJX set up a $40.9 million fund to compensate banks.